MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6481dd646e6b2c2c66d976781cc79ef769cb6a885566f8d965b304f58cf08061. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6481dd646e6b2c2c66d976781cc79ef769cb6a885566f8d965b304f58cf08061
SHA3-384 hash: 2cd5cc1e119d31d82b21d9e0f0e876c9ef41a76163c590aec433b562fcce3f7aa994749474cb2cb330b2083cd75cf5df
SHA1 hash: 2b844662c114ffd2f8c9142c613837a01ef4d2a6
MD5 hash: 3d9f3343e9fa85ec37141c073132afbd
humanhash: happy-alaska-gee-robert
File name:Purchase Order.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:574'976 bytes
First seen:2022-05-23 06:10:40 UTC
Last seen:2022-05-23 12:54:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:juUc2iNJxbpi8v4Lfaw6c7dFllAlXtI3mjT4kuri6:K1TxNiLLSwHdF8lX9T4O
Threatray 1'691 similar samples on MalwareBazaar
TLSH T1B0C4E109EB62ADE4F13D43FD707094666F20DF26E9BE961A29E132530D31293045BDEB
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
2.56.57.16:25154

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
2.56.57.16:25154 https://threatfox.abuse.ch/ioc/627161/

Intelligence

File Origin
# of uploads :
2
# of downloads :
301
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
Purchase Order.exe
Verdict:
Malicious activity
Analysis date:
2022-05-23 06:13:39 UTC
Tags:
trojan rat redline stealer
Link:
https://app.any.run/tasks/05fbb21e-2b11-403e-83fd-212c0305c96a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/273530/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/628b258165e3381599370f26/reports/79cd96da-8495-472d-9e46-d6ba5ee75993/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/807547bf-9bec-4223-bba1-997bf2bd4a72
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/999530
Signature
.NET source code contains potential unpacker
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6481dd646e6b2c2c66d976781cc79ef769cb6a885566f8d965b304f58cf08061/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-23 06:11:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=msa52zdonmwcyzwzoz4bzr4665u4w2uikvtprwlfwmcpldhqqbqq._file
Verdict:
malicious
Similar samples:
099c32fb57ea9e110b7172e62d16c703aed391200456a5a0d43dc7de1deadc95
RedLineStealer
1abbde2370c16b13df70225a0c251790f64f3ba70067a30e959360da730eccae
RedLineStealer
2de49b3102da5350531a70b7d670ce8c1a9da5d664d7530325780b9d19aed395
RedLineStealer
708eeb5d5361791877d18bbbf3a92db7a192d098d15fffaaa28753ad59b574da
RedLineStealer
7133536be647a4809ef0e92fc1c0ca8a49db7ed0c79aad39874ae7731bc849b5
RedLineStealer
7815d7ba1693ba293e64e6d8052c559ec87cb905d27b9c462b5b10aee4dcb9a3
RedLineStealer
a9a3cf652bccfa1482aa9856a8c3ffe6ecd932d877f807cbe657130bd93f4de9
RedLineStealer
dc0ed0d428679dd6269a17ca9c6fd5d0af9ac0cf62fd66c3abf30736a0df9ad2
RedLineStealer
+ 1'681 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:xexcel discovery infostealer spyware stealer
Link:
https://tria.ge/reports/220523-gxl1xsfcbp/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
2.56.57.16:25154
Unpacked files
SH256 hash:
5908b5657ebdf0d32c533235c17918d4af7193eea615db2b3a05f3aeafa5ab08
MD5 hash:
9e2664cf48ec6abeea9f24050ce4bead
SHA1 hash:
f2f54ea26272d1bbf07e83488b2fe8821418ec40
Link:
https://www.unpac.me/results/27611905-cdba-4293-83ad-93afe15a98b0/
SH256 hash:
94e44548a263dd4962c9c9270a36879825d69534e3184e432aba1c0063654404
MD5 hash:
b2ead94165c4b4167bdfb8050ed9fb7f
SHA1 hash:
948b9b1dc0e300572173f9ab30ee7105c825c420
Link:
https://www.unpac.me/results/27611905-cdba-4293-83ad-93afe15a98b0/
SH256 hash:
5891b7a8bcf127bc911122af4b088655f31c66cfe027bf1f54dfae04c9deb253
MD5 hash:
3faeca9dc9736a9240130ae52e8d004b
SHA1 hash:
89a75529fba5412d22aeaefdec4a32640a603e4f
Link:
https://www.unpac.me/results/27611905-cdba-4293-83ad-93afe15a98b0/
SH256 hash:
cab3ac66513f09b99fc148b0e48e9a9f5b5e67e2e250265584a4c376822b225e
MD5 hash:
51a71c49137b63722a3288d748b7757b
SHA1 hash:
09693fab18b82e848daff3e955054b375b29c4a0
Link:
https://www.unpac.me/results/27611905-cdba-4293-83ad-93afe15a98b0/
SH256 hash:
6481dd646e6b2c2c66d976781cc79ef769cb6a885566f8d965b304f58cf08061
MD5 hash:
3d9f3343e9fa85ec37141c073132afbd
SHA1 hash:
2b844662c114ffd2f8c9142c613837a01ef4d2a6
Link:
https://www.unpac.me/results/27611905-cdba-4293-83ad-93afe15a98b0/
Malware family:
RedLine
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6481dd646e6b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/6481dd646e6b2c2c66d976781cc79ef769cb6a885566f8d965b304f58cf08061

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:pe_imphash
Create hunting rule
Rule name:RedLine_a
Create hunting rule
Author:@bartblaze
Description:Identifies RedLine stealer.
Rule name:redline_new_bin
Create hunting rule
Author:James_inthe_box
Description:Redline stealer
Reference:https://app.any.run/tasks/4921d1fe-1a14-4bf2-9d27-c443353362a8
Rule name:redline_stealer
Create hunting rule
Author:jeFF0Falltrades
Description:This rule matches unpacked RedLine Stealer samples and derivatives (as of APR2021)
Rule name:Redline_Stealer_Monitor
Create hunting rule
Description:Detects RedLine Stealer Variants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/273530/

Comments